How to read Azure KeyVault secrets using Managed Identity in .NET Framework 4.8 C#

Using Managed Identity to deploy azure resources is considered best practice as it reduces the overhead of keeping additional credentials (tokens/passwords) in config files. This article is about accessing Auzre KeyVault using Managed Identity. I am using .NET Framework 4.8 version for this tutorial.

Step 1 – Create KeyVault and secrets

First, just go to Azure Portal and create necessary secret values for testing. I would go with a “testkey” and a dummy value.

(I am assuming you know the basics of Azure Portal and knows how to create an azure resource such as KeyVault)

image

Also, please take a note of the “Vault URI” you can see in the “Overview” section. We would require it in the C# Code.

Step 2 – Create Sample .NET App

Next, open Visual Studio (I have used 2022) and start a new project. I have used a .NET Framework 4.8 Console Application.

Step 3 – Install necessary NuGet packages

We require two major packages for this project. Install these:

1. Azure.Identity
2. Azure.Security.KeyVault.Secrets

image

Step 4 – Coding!

This is the sample code I have used. Make sure to replace with your keyvault URL.

using System;
using Azure.Identity;
using Azure.Security.KeyVault.Secrets;

namespace kvtest
{
     internal class Program
     {
         static void Main(string[] args)
         {
             SecretClient secretClient = new SecretClient(new Uri("https://your-keyvault.vault.azure.net/"), new DefaultAzureCredential());
             var secret = secretClient.GetSecret("testkey");
             Console.WriteLine(secret.Value.Value);

            Console.ReadKey();

        }
     }
}

Notice the “DefaultAzureCredential()”, which does the trick of our Managed Identity, without providing plain credentials here.

Step 4 – Login to Azure

If you “run” your app at this stage, you will end up getting an error like the one below. This is because, currently you do not have any connection between your laptop and azure portal. This application will work if you host this in Azure, in any resources like App Service but you cannot run this in your developer laptop/machine if you want to debug.

image

To make your app debug-able in your machine, you have to let Visual Studio login to Azure.

Go to Tools –> Options –> Azure Service Authentication

and, login to your account there.

image

Step 5 – Execute!

Now we are all set for building and running the app. Just hit F5!

image

Power Automate: POST a file to trigger a HTTP flow and upload to SharePoint

My use case here was to store the resumes uploaded by candidate in a website directly in a SharePoint list.

Below is the high level flow the process, created in Power Automate (same you can do in Azure Logic Apps as well with similar steps)

image

Here is the output, i.e., data and file uploaded to SharePoint/Office 365

image

The HTTP call is expected to be made from the external application such as a web page but for the purpose of testing, here is the Postman screen used:

image

Detailed flow

Let us start with an HTTP Request Trigger. You will get a URL which looks like in the below screenshot. This is the URL you will be using. By default this will be using anonymous auth, but you can secure it using few methods, like this one.

image

Parsing Json

This is an optional step. I wanted to pass some parameters also in addition to the file upload, but I chose not to send individually but as a json string. Since it is a Json string, I have to parse it to extract values from it.

image

This is the sample input I have. Refer to postman screenshot above.

{

"position": "Java Developer",

"firstname": "Praveen",

"lastname": "Nair",

"email": "praveennnn@abcdef.com",

"phone": "+9715555555",

"urls": ["http://www.google.com", "https://www.adfolks.com"]

}

Create SharePoint List row

Creating a list row and attaching the file is a two step process. First we have to create the row, then using that ID, we have to attach the uploaded file.

image

Final notes

The last send-mail component you see is just to notify someone in recruitment team that there is a job application logged in SharePoint. Same you can achieve using SharePoint notification features so you may ignore it.

I found that getting filename from the uploaded payload is not so straightforward in Power Automate (someone correct me if I am wrong), but anyways I did’nt need that because the logic I had to use here is to create a custom filename using the candidate’s name and adding the extension we get from the content-type.